ISFO – ODAA

1. ISFO – ODAA Nov 2013 Defense Security Service Industrial Security Field Operations(ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013

2. ISFO – ODAA Nov 2013 Defense Security Service Overview: • Security Plan Reviews • Security Plan Processing Timeliness • Top Ten Deficiencies Identified in Security Plans • System Onsite Validations • Timeliness • Top Ten Vulnerabilities

3. ISFO – ODAA Nov 2013 Defense Security Service Certification & Accreditation • DSS is the primary government entity responsible for approving cleared contractor information systems to process classified data. • Work with industry partners to ensure information system security controls are in place to limit the risk of compromising national security information. • Ensures adherence to national industrial security standards.

4. ISFO – ODAA Nov 2013 Security Plan Review Results from Nov 2012- Oct 2013 Performance: Metrics reflect excellent performance across the C&A program nationwide. Improvements have been made in the number of systems processed straight ATO and reducing the number of days systems operate on an IATO when compared to six months ago. Common reasons for second IATOs are Host Based Security System (HBSS) not installed, Onsite validation rescheduled due to ISSP and/or ISSM availability, Administrative reasons after the system is certified (MOUs, etc.).

5. ISFO – ODAA Nov 2013 Common Deficiencies in Security Plans from Nov 2012- Oct 2013 Top 10 Deficiencies SSP Is incomplete or missing attachments SSP Not Tailored to the System Inaccurate or Incomplete Configuration diagram or system description Sections in General Procedures contradict Protection Profile Missing certifications from the ISSM Missing variance waiver risk acknowledgement letter Incorrect or missing ODAA UID in plan submission Integrity & Availability not addressed completely Inadequate anti-virus procedures Inadequate trusted download procedures

6. ISFO – ODAA Nov 2013 On Site Review Results from Nov 2012- Oct 2013 Performance: Metrics reflect excellent performance across the C&A program nationwide. Improvements have been made in the number of systems processed straight ATO and reducing the number of days systems operate on an IATO when compared to six months ago. We are averaging over 45% of all ATOs being straight to ATO.

7. ISFO – ODAA Nov 2013 Common Vulnerabilities found during System Validations from Nov 2012- Oct 2013 Top 10 Vulnerabilities • Security Relevant Objects not protected. • Inadequate auditing controls • SSP does not reflect how the system is configured • Improper session controls: Failure to have proper user activity/inactivity, logon, system attempts enabled. • Bios not protected • Topology not correctly reflected in (M)SSP • Inadequate configuration management • Physical security controls • Inadequate Anti-virus procedures • Identification & authentication controls

8. ISFO – ODAA Nov 2013 Defense Security Service Summary and Takeaways: • Security Plans are Being Processed and Reviewed in a Timely Manner • Most Common Deficiencies in SSPs Include Missing Attachments, Documentation Errors, Integrity and Availability Requirements • Need More Emphasis on Reducing Deficiencies • Onsite Validations are Being Completed in a Timely Manner • Most Common Vulnerabilities Identified During System Validation Include Auditing Controls, Configuration Management, Not Protecting Security Relevant Objects • More Straight to ATO (Where Practical) to Reduce Risk and Increase Efficiency

9. ISFO – ODAA Nov 2013 Defense Security Service Questions